Rapid advances in personal healthcare systems based on implantable and wearable medical devices promise to greatly improve the quality of diagnosis and treatment for a range of medical conditions. However, the increasing programmability and wireless connectivity of medical devices also open up opportunities for malicious attackers. Unfortunately, implantable/wearable medical devices come with extreme size and power constraints, and unique usage models, making it infeasible to simply borrow conventional security solutions such as cryptography.
In recent years, medical advances as well as innovations in ultra low-power computing, networking, and sensing technologies have led to an explosion in implantable and wearable medical devices (IWMDs). IWMDs are currently used to perform cardiac pacing, defibrillation, insulin delivery and glucose monitoring, deep brain stimulation, intrathecal drug infusion, and many other diagnostic, monitoring, and therapeutic functions. IWMDs commonly include wireless communication interfaces through which they can be connected to external diagnostic or programming equipment through, or to body area networks (BANs) to form personal healthcare systems (PHSs). A Personal Healthcare System (PHS) typically includes sensors for physiological data collection, actuators for therapy delivery, remote controllers for reconfiguration, and a hub for logging, compressing, and analyzing the raw health data.
Since the functions performed by IWMDs and PHSs are frequently life-critical, any malfunction in their operation is of utmost concern. An incessant trend in IWMDs has been towards increased functional complexity, software programmability, and network connectivity. While these advances are desirable from the viewpoint of the improvements that they engender in diagnostic/therapeutic effectiveness and convenience to patients, they also collude to greatly increase the risk of security vulnerabilities and malicious attacks. Ensuring the security of IWMDs and PHSs is a sine qua non since the functions that they perform are frequently life-critical, e.g., cardiac pacing, continuous blood glucose monitoring and insulin delivery (CBGM) and brain-machine interfacing (BMI). Unfortunately, the very tight power and size budgets that are inherent to IWMDs virtually rule out the use of conventional security solutions such as cryptography. Inductive charging offers the possibility of relaxing the energy constraints and avoiding the complications and costs associated with replacing batteries for medical implants. However, wireless charging for IWMDs is still in the research phase and must go through rigorous testing to ensure safety before commercial use. In addition to resource constraints, the need for emergency responders to communicate with medical devices (in the absence of any mechanism, such as public key infrastructure, for shared key establishment) is also cited as a factor preventing the use of encryption. In summary, the current generation of IWMDs typically does not employ cryptographic protection for their radio-frequency (RF) wireless communications.
Due to the absence of cryptographic protection, the wireless channel has been identified as the Achilles' heel of medical devices. Recent demonstrations of successful RF wireless attacks on cardiac pacemakers and insulin pumps have placed medical device security under great scrutiny. For example, an attack described on a glucose monitoring and insulin delivery system may exploit the wireless channels between the device and controller, and between medical devices. In such a scenario, the attacker first eavesdrops on the wireless packets sent from a remote control to an insulin pump. From the captured packets, the attacker reverse-engineers the device PINs associated with the remote control and glucose meter. By mimicking the remote control, the attacker can configure the insulin pump to disable or change the intended therapy, stop the insulin injection, or inject a much higher dose than allowed. By mimicking the glucose meter, the attacker can send bogus data to the insulin pump, causing the pump to adjust insulin delivery based on the false data. In addition, the attacker can snoop on the packets to infer sensitive patient data.
The above attack is hard to defend against, especially because it is hard to differentiate the attacker's forged wireless transmissions from legitimate ones. It would be desirable to provide improved a medical security monitor that detects such wireless attacks and protects PHS integrity and patient safety.